You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by ec...@apache.org on 2016/06/30 19:49:46 UTC
svn commit: r1750857 - in /commons/proper/fileupload/trunk/src:
changes/changes.xml site/site.xml site/xdoc/security-reports.xml
Author: ecki
Date: Thu Jun 30 19:49:46 2016
New Revision: 1750857
URL: http://svn.apache.org/viewvc?rev=1750857&view=rev
Log:
Site: add security report
Added:
commons/proper/fileupload/trunk/src/site/xdoc/security-reports.xml
Modified:
commons/proper/fileupload/trunk/src/changes/changes.xml
commons/proper/fileupload/trunk/src/site/site.xml
Modified: commons/proper/fileupload/trunk/src/changes/changes.xml
URL: http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/changes/changes.xml?rev=1750857&r1=1750856&r2=1750857&view=diff
==============================================================================
--- commons/proper/fileupload/trunk/src/changes/changes.xml (original)
+++ commons/proper/fileupload/trunk/src/changes/changes.xml Thu Jun 30 19:49:46 2016
@@ -39,7 +39,7 @@ The <action> type attribute can be add,u
<properties>
<title>Release Notes</title>
- <author email="martinc@apache.org">Martin Cooper</author>
+ <author email="dev@commons.apache.org">Apache Commons Developers</author>
</properties>
<body>
@@ -57,6 +57,7 @@ The <action> type attribute can be add,u
<action issue="FILEUPLOAD-246" dev="sebb" type="update">FileUpload should use IOUtils.closeQuietly where relevant</action>
<action issue="FILEUPLOAD-245" dev="sebb" type="fix">DiskFileItem.get() may not fully read the data</action>
<action issue="FILEUPLOAD-243" dev="sebb" type="update" due-to="Ville Skyttä">Make some MultipartStream private fields final</action>
+ <action dev="ecki" type="add">Site: added security report</action>
</release>
<release version="1.3.2" description="Bugfix release for 1.3.1" date="2016-05-26">
Modified: commons/proper/fileupload/trunk/src/site/site.xml
URL: http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/site/site.xml?rev=1750857&r1=1750856&r2=1750857&view=diff
==============================================================================
--- commons/proper/fileupload/trunk/src/site/site.xml (original)
+++ commons/proper/fileupload/trunk/src/site/site.xml Thu Jun 30 19:49:46 2016
@@ -32,6 +32,7 @@
<item name="FAQ" href="/faq.html" />
<item name="Javadoc" href="apidocs/index.html" />
<item name="Download" href="/download_fileupload.cgi" />
+ <item name="Security Reports" href="/security-reports.html"/>
<item name="Mailing lists" href="/mail-lists.html" />
<item name="Issue Tracking" href="/issue-tracking.html" />
<item name="Team" href="/team-list.html" />
Added: commons/proper/fileupload/trunk/src/site/xdoc/security-reports.xml
URL: http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/site/xdoc/security-reports.xml?rev=1750857&view=auto
==============================================================================
--- commons/proper/fileupload/trunk/src/site/xdoc/security-reports.xml (added)
+++ commons/proper/fileupload/trunk/src/site/xdoc/security-reports.xml Thu Jun 30 19:49:46 2016
@@ -0,0 +1,106 @@
+<?xml version="1.0"?>
+<!--
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<document>
+ <properties>
+ <title>Commons Fileupload Security Reports</title>
+ <author email="dev@commons.apache.org">Commons Documentation Team</author>
+ </properties>
+ <body>
+ <section name="Apache Commons Fileupload Security Vulnerabilities">
+ <p>This page lists all security vulnerabilities fixed in
+ released versions of Apache Commons Fileupload. Each
+ vulnerability is given a security impact rating by the
+ development team - please note that this rating may vary from
+ platform to platform. We also list the versions of Commons
+ Fileupload the flaw is known to affect, and where a flaw has not
+ been verified list the version with a question mark.</p>
+
+ <p>Please note that binary patches are never provided. If you
+ need to apply a source code patch, use the building
+ instructions for the Commons Fileupload version that you are
+ using.</p>
+
+ <p>If you need help on building Commons Fileupload or other help
+ on following the instructions to mitigate the known
+ vulnerabilities listed here, please send your questions to the
+ public <a href="mail-lists.html">Commons Users mailing
+ list</a>.</p>
+
+ <p>If you have encountered an unlisted security vulnerability
+ or other unexpected behaviour that has security impact, or if
+ the descriptions here are incomplete, please report them
+ privately to the Apache Security Team. Thank you.</p>
+
+ <p>For information about reporting or asking questions about
+ security problems, please see the <a
+ href="http://commons.apache.org/security.html">security page
+ of the Apache Commons project</a>.</p>
+
+ <subsection name="Fixed in Apache Commons Fileupload 1.3.2">
+ <p><b>Low: Denial of Service</b> <a
+ href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092">CVE-2016-3092</a></p>
+
+ <p>Specially crafted input can trigger a DoS (slow uploads), if the size of the MIME
+ boundary is close to the size of the buffer in MultipartStream. This is also fixed
+ for <a href="https://tomcat.apache.org/security.html">Apache Tomcat</a>.</p>
+
+ <p>This was fixed in revisions
+ <a href="http://svn.apache.org/viewvc?view=revision&revision=1743480">1743480</a>.</p>
+
+ <p>Affects: 1.0? - 1.3.1</p>
+ </subsection>
+
+ <subsection name="Fixed in Apache Commons Fileupload 1.3.1">
+ <p><b>Low: Denial of Service</b> <a
+ href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-0050">CVE-2014-0050</a></p>
+
+ <p>MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in
+ <a href="https://tomcat.apache.org/security.html">Apache Tomcat</a>,
+ JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite
+ loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended
+ exit conditions.</p>
+
+ <p>This was fixed in revisions
+ <a href="http://svn.apache.org/viewvc?view=revision&revision=1565143">1565143</a>.</p>
+
+ <p>Affects: 1.0? - 1.3</p>
+ </subsection>
+
+ <subsection name="Fixed in Apache Commons Fileupload 1.3">
+
+ <p><b>Low: Improved Documentation for Multitenancy</b> <a
+ href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0248">CVE-2013-0248</a></p>
+
+ <p>Update the Javadoc and documentation to make it clear that setting a repository
+ is required for a secure configuration if there are local, untrusted users.</p>
+
+ <p>This was fixed in revisions
+ <a href="http://svn.apache.org/viewvc?view=revision&revision=1453273">1453273</a>.</p>
+
+ <p>Affects: 1.0 - 1.2.2</p>
+ </subsection>
+
+ </section>
+
+ <section name="Errors and Ommissions">
+ <p>Please report any errors or omissions to <a
+ href="mail-lists.html">the dev mailing list</a>.</p>
+ </section>
+ </body>
+</document>